Vigil@nce: PHP, information disclosure via session_start
December 2009 by Vigil@nce
An attacker can use a long session cookie, in order to obtain the
installation path of the web site.
Severity: 1/4
Consequences: data reading
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: multiples sources (3/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 29/12/2009
IMPACTED PRODUCTS
– PHP
DESCRIPTION OF THE VULNERABILITY
The PHP session_start() function initializes the session.
Sessions are saved in a temporary directory:
/tmp/sess_[name-of-the-session]
However, if the session name is longer than the maximal file name
size, an error occurs in the session_start() function. The error
message contains the installation path of the web site:
Warning: session_start() open(/tmp/sess_aaa..aa) in
/path/page.php
An attacker can therefore use a long session cookie, in order to
obtain the installation path of the web site.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-9316
http://vigilance.fr/vulnerability/PHP-information-disclosure-via-session-start-9316